Q: Can I just post a picture of my happy customers on Instagram without asking them?
"Not really. In the Netherlands, the law says a person owns their own photo. On top of that, GDPR treats it as personal data. That means you need their permission first, otherwise, they can ask you to take it down, complain, or even claim damages."
Francesco Cattaneo
Why This Matters for Small Businesses
For micro and small enterprises, nothing feels more authentic than showing real clients. A hair salon proudly posts a “before and after,” a café shares smiling diners, or a gym highlights a customer’s progress. These images look like harmless promotion, but under Dutch law they carry weight. Two legal regimes collide here:
- Portrait rights (Auteurswet): individuals control how their recognizable image is used.
- GDPR: photos of identifiable people are personal data, requiring a lawful basis, almost always consent, for publication.
Ignore these rules, and the fallout is real: takedown demands, reputational harm, even damages claims.
Portrait Rights and GDPR, A Double Lock
Dutch law defines a portrait broadly: not just a face, but also posture, context, or any distinctive feature that makes someone identifiable. If a business publishes such an image in a commercial setting without consent, the person can object and demand removal by invoking their “reasonable interest” in privacy or reputation.
At the same time, the GDPR treats a photo as personal data. Uploading it to a website or Instagram is “processing.” For marketing, the lawful basis is explicit consent. Legitimate interest is nearly impossible to defend here.
Together, portrait rights and GDPR leave no wiggle room: businesses must obtain client consent before publishing photos.
The Practical Reality for MSEs
Consent is not paperwork, it is protection.
- Written consent is safest. A signed form or quick email avoids disputes later.
- Oral consent counts, but is fragile. If a client says “yes,” it is valid, but hard to prove if they later deny it. Keep a log.
- Keep records. Archive forms, emails, or notes so you can demonstrate compliance if challenged.
Risk in Action
| Scenario | Business Example | Risk if No Consent |
|---|---|---|
| Makeover photos | Hairdresser posts “before & after” | Portrait rights violation + GDPR complaint |
| Social media stories | Restaurant shares photo of diners | Client demands removal, reputational harm |
| Progress shots | Gym posts transformation picture | Privacy complaint, possible damages claim |
Why Consent Is More Than Formality
Consent is not just a shield against regulators. It is respect. When clients are asked before being showcased, they feel valued, not exploited. Trust grows. They are more likely to share their positive experience voluntarily, amplifying your marketing with goodwill rather than with risk.
Staying Ahead
Client photos are powerful marketing. Without consent, they become a legal and reputational time bomb. Make consent routine, and you protect both your business and your customer relationships.
Action Checklist for Every Business
- Always obtain consent before posting customer photos
- Prefer written consent; if oral, log it
- Be clear on where and how the image will be used
- Keep a consent archive (forms, emails, notes)
- Train staff: no client photo goes online without consent check
Francesco Cattaneo is a qualified Italian lawyer with a Laurea in Law from the University of Florence and full Italian Bar certification (Esame di Stato). He began his career at Studio Legale Saverio Bartoli, advising on civil litigation, wealth planning, and trust law before transitioning into international compliance roles.
He later served as Legal Project Manager at Justlex, GDPR Consultant at DPO Consultancy, and Project & Compliance Manager at Tribal Agency, gaining hands-on experience across privacy law, AI regulation, and digital risk in Italy, the UK, and the Netherlands.
A graduate of Tilburg University’s Master in Law & Technology and CIPP/E-certified, Francesco combines legal depth with strategic clarity.
